Biometric Privacy in 2022: How to Comply with Emerging Laws (Part 3)
This is the third article in a three-part series analyzing key developments in the area of biometric privacy that took place in 2021, as well as what companies can expect in 2022. Part one took a look back at the major developments of 2021 and the current legal landscape as it exists as we enter 2022. Part two explored what companies can expect in the biometric privacy arena over the next year. And part three offers tips and strategies for companies to maintain compliance with both current and anticipated biometric privacy laws based on lessons learned to date.
2021 added a number of new, complex wrinkles to the landscape of biometric privacy—and companies can expect to see more of the same in 2022.
This is especially true given the anticipated high volume of Illinois Biometric Information Privacy Act (BIPA) class action filings, expanded BIPA class action litigation exposure, and the addition of various new biometric privacy laws and ordinances enacted around the country—each with their own intricacies and unique compliance requirements.
At the same time, companies will also have to deal with the Federal Trade Commission’s (FTC) new focus on more heavily scrutinizing the use of facial biometrics—an issue that businesses did not have to worry about in prior years.
Taken together, companies that use biometric data in their business operations should strategically enhance their current compliance programs to not only ensure the ability to satisfy current biometric privacy laws, but also to provide the necessary flexibility to enable them quickly pivot and adapt to the new laws and other requirements that will inevitably be added to the mix in 2022.
In particular, below are several key compliance steps that companies are encouraged to take if they have not already done so.
Privacy Policy
Maintain a publicly-available, biometrics-specific privacy policy that provides, at a minimum, the following disclosures: (1) the types of biometric data being collected; (2) the purposes for which biometric data is used; (3) the length of time biometric data will be retained; and (4) the company’s schedule and guidelines for permanently destroying biometric data.
In addition, policies, procedures, and protocols must be maintained to facilitate compliance with the company’s established biometric data retention schedule and destruction guidelines.
Written Notice
Provide written, individualized notice prior to the time any biometric data is collected or otherwise obtained which conspicuously discloses, at a minimum, the following: (1) that biometric data is being collected; (2) the types of biometric data being collected; (3) the purposes for which biometric data is being used; (4) the length of time biometric data will be retained or stored before it is permanently destroyed; and (5) how individuals can obtain additional information regarding the company’s biometrics practices.
Written Consent
Obtain advance, affirmative consent in writing from individuals—before the time any biometric data is collected—which authorizes the company and any of its biometrics service providers to collect, possess, and use the individual’s biometric data for the purposes specified in the company’s privacy policy and/or notice.
In addition, where consent is obtained online, the consent mechanism (which is usually presented to website visitors via a pop-up screen) should also: (1) include hyperlinks to both the company’s and any third-party service providers’ terms and conditions and privacy policies; and (2) clearly and conspicuously state that, in addition to consenting to the collection and use of his or her biometric data, the individual also agrees to be bound by the applicable terms and conditions and privacy policies identified in the company’s notice/consent.
Prohibition on Selling or Otherwise Profiting From Biometric Data
Implement and adhere to a formal, written policy strictly barring any sale or other type of transaction that involves profiting from biometric data. In addition, maintain mechanisms to ensure no biometric data is sold or otherwise used for profit by the company or its employees, agents, or vendors. Lastly, educate all employees, agents, and vendors on the company’s policy which strictly precludes any sale or other for-profit use of biometric data in the company’s possession or control.
Data Security Measures
Implement data security measures to protect all biometric data that is captured, used, possessed, and stored from improper disclosure, access, or acquisition.
These security measures must protect biometric data: (1) using the reasonable standard of care applicable to the company’s given industry; and (2) in a manner that is the same or more protective than the manner in which the company stores, transmits, and protects other forms of sensitive personal information.
Service Provider Risk Management
In addition to ensuring its own compliance, companies must also take proactive steps to mitigate liability exposure stemming from its third-party biometrics service providers and related entities.
Before entering into an agreement with any service provider that will provide biometrics services or otherwise have access to the company’s biometric data, engage experienced biometric privacy counsel to complete the necessary due diligence and vetting that is required to ensure the service provider has policies, practices, and protocols in place to both comply with any relevant biometric privacy laws and safeguard all biometric data in its possession.
When negotiating service agreements with biometrics service providers, ensure these agreements contain provisions that adequately protect the company against the risks associated with class action litigation stemming from the service provider’s services or its non-compliance with applicable biometric privacy laws.
In particular, service agreements should include a strong indemnification provision requiring the service provider to fully indemnify the company for any litigation arising from the company’s use of the service provider’s biometrics solutions or services.
Service agreements should also include a provision permitting the company to identify the service provider by name, as well as the ability to link to the service provider’s terms and privacy policy, in the business’s privacy policy, notice, consent, and related compliance materials, which will allow for the implementation of a robust consent mechanism like the one described above.
Arbitration Agreements & Class Action Waivers
Utilize arbitration agreements and class action waivers to limit potential class action liability exposure in connection with the collection and use of biometric data.
The ability to resolve disputes through binding individual arbitration—as opposed to class action litigation—is an especially important tool for companies across all industries that face an ever-growing risk of bet-the-company BIPA (and other types of privacy) litigation. There are a myriad of benefits offered by arbitration, including cost savings and the ability to resolve disputes expeditiously and efficiently, among others.
Additional Compliance Measures to Mitigate Increased FTC Liability Exposure
For companies that use facial biometrics in their operations, careful consideration must be given to mitigating the significant liability risk that now exists due to the FTC’s newfound focus on policing the misuse of facial recognition.
In particular, consider implementing the following protocols recommended by the FTC for using facial recognition properly: (1) design and implement services that utilize facial biometrics with consumer privacy as a top priority; (2) develop sound methods for determining when to keep facial template data and when to dispose of it; (3) obtain new, subsequent express consent from individuals before using facial template data in a manner that is materially different than what was represented at the time of initial collection; and (4) complete pre-deployment testing of facial recognition software to ensure its effectiveness and accuracy prior to its use in real-time situations.
Consult With Experienced Biometric Privacy Counsel
Lastly, consult with experienced biometric privacy counsel before implementing any type of biometrics technology or tool—or making any substantive modifications to any existing biometrics program—to ensure compliance with the constantly-evolving biometric privacy legal landscape.
Conclusion
As in years past, 2022 is likely to bring an expansion of BIPA class action liability risk, as well as the enactment of several new biometric privacy laws at the state and municipal levels. In addition, 2022 will also likely see greater enforcement over the misuse of biometrics by the FTC as well. Taken together, companies should brace themselves for more complex, time-intensive compliance burdens and greater liability exposure risks as we move through 2022.
To get ahead of the compliance curve, now is the time to proactively put in place flexible, adaptable biometric privacy compliance programs. Doing so will not only facilitate compliance with current biometric privacy laws, but also provide the ability to adeptly respond to the ever-expanding web of biometric privacy laws, which is sure to see many notable changes over the course of the next year.
“Biometric Privacy in 2022: How to Comply with Emerging Laws (Part 3),” by David J. Oberly was published in Legaltech News on January 26, 2022.